Hello from Germany, I have a problem with the following constellation: A Samba-Fileserver - Samba 3.5.6 - running in a Windows AD as a member server using idmap_ad for the mapping the User-IDs. This all works fine as long as the LDAP-port 389 is available on the domain controllers. Now, our AD admin wants to close this and move over to LDAPS. And here is my problem. How do I configure my Samba server - resp., winbindd - so it only communicates on port 636? I think I tried all combinations available in the manuals but it still uses port 389. (e.g. ldap ssl=start tls + ldap ssl ad = yes, winbind rpc only = Yes, name resolve order = host). The idmap backend should stay on "ad" for the ADS and we do not want to change it to an ldap. What we discovered is this: - In the gencache he always has the NBT/<DOMAIN>#1C entry for the DCs with a port 389 - We changed the SRV-entries for _ldap._tcp.dc._msdcd.<domain> so it returns port 636 for - no difference regarding the entry in the gencache. - As soon as I close outgoing communications on port 389 using iptables, the gencache entry changes to port 636 - but the winbindd is unable to open any network connection. So, obviously winbindd needs some initial communication on port 389 when connecting to AD - which it shouldn't. Any ideas welcome. Greetings Andreas Ollenburg Kommunales Rechenzentrum Minden-Ravensberg / Lippe Tel.: 05261 / 252-108 Fax: 05261 / 932-108 E-Mail: a.ollenburg at krz.de<mailto:a.ollenburg at krz.de> http://www.krz.de Immer up to date sein? update newsletter hier abonnieren!<https://www.db.krz.de/bestellung%5Fupdateletter/> [cid:image002.jpg at 01CC47CF.1B3719A0] * Bitte pr?fen, ob diese Mail wirklich ausgedruckt werden muss!
On Thu, Jul 28, 2011 at 12:31:22PM +0200, Ollenburg, Andreas (KRZ) wrote:> A Samba-Fileserver - Samba 3.5.6 - running in a Windows AD > as a member server using idmap_ad for the mapping the > User-IDs. This all works fine as long as the LDAP-port 389 > is available on the domain controllers. Now, our AD admin > wants to close this and move over to LDAPS. And here is my > problem. How do I configure my Samba server - resp., > winbindd - so it only communicates on port 636? I think I > tried all combinations available in the manuals but it > still uses port 389. (e.g. ldap ssl=start tls + ldap ssl > ad = yes, winbind rpc only = Yes, name resolve order > host). The idmap backend should stay on "ad" for the ADS > and we do not want to change it to an ldap.Right now you can't do that. What you can do is convince your admin to leave 389 open but to enforce sasl encryption for LDAP communication. There's registry settings for that. Then set client ldap sasl wrapping = seal in your smb.conf. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen